cli_bytecode_init_jit() in libclamav/c++/bytecode2llvm.cpp in the clamav
source tree has the following:
sys::MemoryBlock B = sys::Memory::AllocateRWX(4096, NULL, &ErrMsg);
if (B.base() == 0) {
errs() << MODULE << ErrMsg << "\n";
#ifdef __linux__
errs() << MODULE << "SELinux is preventing 'execmem' access. Run
'setsebool -P clamd_use_jit on' to allow access\n";
#endif
errs() << MODULE << "falling back to interpreter mode\n";
return 0;
} else {
sys::Memory::ReleaseRWX(B);
}
The fact that the developers assumed that SE Linux is the only mechanism that
prevents RWX access is interesting.
Now the boolean in question only applies to the clamd_t domain not the
freshclam_t domain, but for some reason freshclam uses the jit anyway. Should
we put in a dontaudit rule for freshclam_t or include it in the boolean
section so that it gets execmem access if clamd_t gets it?
Also on my system the error message about SE Linux doesn't seem to get written
to the log file, so I only found it by reading the source.
--
russell@xxxxxxxxxxxx
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
